Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

Unknown

Privileges Required

Unknown

Attack Vector

Unknown

0

CVE-2008-0960

Disclosure Date: June 10, 2008 •

Description

SNMPv3 HMAC verification in (1) Net-SNMP 5.2.x before 5.2.4.1, 5.3.x before 5.3.2.1, and 5.4.x before 5.4.1.1; (2) UCD-SNMP; (3) eCos; (4) Juniper Session and Resource Control (SRC) C-series 1.0.0 through 2.0.0; (5) NetApp (aka Network Appliance) Data ONTAP 7.3RC1 and 7.3RC2; (6) SNMP Research before 16.2; (7) multiple Cisco IOS, CatOS, ACE, and Nexus products; (8) Ingate Firewall 3.1.0 and later and SIParator 3.1.0 and later; (9) HP OpenView SNMP Emanate Master Agent 15.x; and possibly other products relies on the client to specify the HMAC length, which makes it easier for remote attackers to bypass SNMP authentication via a length value of 1, which only checks the first byte.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

None

Impact Score:

Unknown

Exploitability Score:

Unknown

Vector:

Attack Vector (AV):

Unknown

Attack Complexity (AC):

Unknown

Privileges Required (PR):

Unknown

User Interaction (UI):

Unknown

Scope (S):

Unknown

Confidentiality (C):

Unknown

Integrity (I):

Unknown

Availability (A):

Unknown

Vendors

juniper

Products

References

Canonical

CVE-2008-0960 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0960)

BID-29623 (http://www.securityfocus.com/bid/29623)

Advisory

http://sourceforge.net/tracker/index.php?func=detail&aid=1989089&group_id=12694&atid=456380

SECUNIA-35463 (http://secunia.com/advisories/35463)

SECUNIA-30615 (http://secunia.com/advisories/30615)

http://support.apple.com/kb/HT2163

ADV-2008-1787 (http://www.vupen.com/english/advisories/2008/1787/references)

SECUNIA-30648 (http://secunia.com/advisories/30648)

http://www.kb.cert.org/vuls/id/CTAR-7FBS8Q

SECUNIA-32664 (http://secunia.com/advisories/32664)

ADV-2008-1981 (http://www.vupen.com/english/advisories/2008/1981/references)

ADV-2008-1801 (http://www.vupen.com/english/advisories/2008/1801/references)

http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00000.html

[productinfo] 20080611 Ingate Firewall and SIParator affected by SNMPv3 vulnerability (http://lists.ingate.com/pipermail/productinfo/2008/000021.html)

SECUNIA-31351 (http://secunia.com/advisories/31351)

ADV-2008-1788 (http://www.vupen.com/english/advisories/2008/1788/references)

http://support.avaya.com/elmodocs2/security/ASA-2008-282.htm

FEDORA-2008-5215 (https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00363.html)

SECUNIA-31334 (http://secunia.com/advisories/31334)

ADV-2008-2971 (http://www.vupen.com/english/advisories/2008/2971)

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10820

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6414

SECUNIA-30626 (http://secunia.com/advisories/30626)

SSRT080082 (http://marc.info?l=bugtraq&m=127730470825399&w=2)

[oss-security] 20080609 [oCERT-2008-006] multiple SNMP implementations HMAC authentication spoofing (http://www.openwall.com/lists/oss-security/2008/06/09/1)

VU#878044 (http://www.kb.cert.org/vuls/id/878044)

SECUNIA-30647 (http://secunia.com/advisories/30647)

SUNALERT-238865 (http://sunsolve.sun.com/search/document.do?assetkey=1-26-238865-1)

20081031 VMSA-2008-0017 Updated ESX packages for libxml2, ucd-snmp, libtiff (http://www.securityfocus.com/archive/1/497962/100/0/threaded)

ADV-2008-1836 (http://www.vupen.com/english/advisories/2008/1836/references)

SECUNIA-33003 (http://secunia.com/advisories/33003)

20080610 SNMP Version 3 Authentication Vulnerabilities (http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml)

ADV-2008-2361 (http://www.vupen.com/english/advisories/2008/2361)

SECUNIA-31568 (http://secunia.com/advisories/31568)

SECUNIA-31467 (http://secunia.com/advisories/31467)

APPLE-SA-2008-06-30 (http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html)

DSA-1663 (http://www.debian.org/security/2008/dsa-1663)

TA08-162A (http://www.us-cert.gov/cas/techalerts/TA08-162A.html)

http://www.kb.cert.org/vuls/id/MIMG-7ETS87

http://rhn.redhat.com/errata/RHSA-2008-0528.html

SREASON-3933 (http://securityreason.com/securityalert/3933)

http://www.redhat.com/support/errata/RHSA-2008-0529.html

SECUNIA-30612 (http://secunia.com/advisories/30612)

SECUNIA-30802 (http://secunia.com/advisories/30802)

https://bugzilla.redhat.com/show_bug.cgi?id=447974

http://www.vmware.com/security/advisories/VMSA-2008-0013.html

http://www.kb.cert.org/vuls/id/MIMG-7ETS5Z

EXPLOIT-DB-5790 (https://www.exploit-db.com/exploits/5790)

ADV-2008-1797 (http://www.vupen.com/english/advisories/2008/1797/references)

GLSA-200808-02 (http://security.gentoo.org/glsa/glsa-200808-02.xml)

20080609 [oCERT-2008-006] multiple SNMP implementations HMAC authentication spoofing (http://www.securityfocus.com/archive/1/493218/100/0/threaded)

SECUNIA-30665 (http://secunia.com/advisories/30665)

FEDORA-2008-5218 (https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00459.html)

FEDORA-2008-5224 (https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00380.html)

ADV-2008-1800 (http://www.vupen.com/english/advisories/2008/1800/references)

http://www.mandriva.com/security/advisories?name=MDVSA-2008:118

USN-685-1 (http://www.ubuntu.com/usn/usn-685-1)

http://sourceforge.net/forum/forum.php?forum_id=833770

SECTRACK-1020218 (http://www.securitytracker.com/id?1020218)

SECUNIA-30596 (http://secunia.com/advisories/30596)

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5785

ADV-2009-1612 (http://www.vupen.com/english/advisories/2009/1612)

SECUNIA-30574 (http://secunia.com/advisories/30574)

Miscellaneous

http://www.vmware.com/security/advisories/VMSA-2008-0017.html

http://www.ocert.org/advisories/ocert-2008-006.html

Rapid7

Technical Analysis